Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malicious ESLint Packages Steal Software Registry Login Tokens

Following the compromise of an ESLint maintainer’s account last week, malicious packages that attempted to steal login tokens from the npm software registry were published without authorization.

Following the compromise of an ESLint maintainer’s account last week, malicious packages that attempted to steal login tokens from the npm software registry were published without authorization.

 Originally created by Nicholas Zakas, ESLint is described as an open source “pluggable and configurable linter tool” for identifying and reporting on patterns in JavaScript.

The issue affected version 3.7.2 of the popular package eslint-scope, as well as version 5.0.2 of eslint-config-eslint. The former is a scope analysis library used by older versions of eslint, and the latest versions of babel-eslint and webpack, while the latter is a configuration used internally by the ESLint team.

Both packages were hosted on npm, “the package manager for JavaScript and the world’s largest software registry,” which has faced similar incidents before.

Upon installation, the rogue packages would download and execute code from pastebin.com. The code was designed to grab the content of the user’s .npmrc file, which usually contains access tokens for publishing to npm, and send the information to the attacker.

“The script extracts the _authToken from a user’s .npmrc and sends it to histats and statcounter inside the Referer header,” Henry Zhu notes.

Both of the malicious packages were unpublished from npm soon after the issue was discovered. Furthermore, the pastebin.com paste linked in these packages was taken down as well, ESLint explains in a post.

The npm login tokens targeted by the malicious code would not provide the attacker with the user’s npm password, but npm nonetheless decided to revoke possibly impacted tokens. Users too have the option to revoke existing tokens and npm advised them to do so.

Advertisement. Scroll to continue reading.

“We have now invalidated all npm tokens issued before 2018-07-12 12:30 UTC, eliminating the possibility of stolen tokens being used maliciously,” npm said.

The compromise was apparently possible because the maintainer had reused the same password on multiple accounts and also didn’t have two-factor authentication enabled on their npm account.

To ensure users are no longer at risk, ESLint published eslint-scope version 3.7.3 (with code from version 3.7.1) and eslint-config-eslint version 5.0.3.

The publishing of the updated packages doesn’t resolve the issue for all users, as those who installed the rogue packages would still need to do npm update or equivalent.

Related: Backdoored Module Removed from npm Registry

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.